Can't set cookie for api route laravel

Question

Doing an service with backend (laravel) and frontend SPA (vue.js, vue-cli 3). I need to make an auth via httpOnly cookie (not localStorage). I use tymondesigns/jwt-auth as api auth package.

My environment is:

API route: http://brideplanner.test/api
SPA route: http://app-test.brideplanner.test:81/

My login route is /api/auth/login, controller method is:

public function login()
    {
        $credentials = request(['email', 'password']);
        $user = User::where('email','=',$credentials['email'])->first();
        if (!$user || !$token = auth()->claims(['sub' => $user->id, 'csrf-token' => str_random(32) ])->attempt($credentials)) {
            return response()->json(['error' => 'Unauthorized'], 401);
        }
        return response()
            ->json('success')
            ->withCookie('token', $token, config('jwt.ttl'), ".brideplanner.test", null, false, false);
    }

But when I try to send an request to the API, there's no token item in the cookie storage. What's wrong here? Why there's no token? What should I do?

UPD: I tested the request via postman and I got the token:

Set-Cookie →token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9icmlkZXBsYW5uZXIudGVzdFwvYXBpXC9hdXRoXC9sb2dpbiIsImlhdCI6MTU1MTM5NDMwNCwiZXhwIjoxNTUxMzk1MjA0LCJuYmYiOjE1NTEzOTQzMDQsImp0aSI6Im9uU1NtWEpSU0prR3NKc3giLCJzdWIiOjEsInBydiI6Ijg3ZTBhZjFlZjlmZDE1ODEyZmRlYzk3MTUzYTE0ZTBiMDQ3NTQ2YWEiLCIwIjoic3ViIiwiMSI6ImNzcmYtdG9rZW4iLCJjc3JmLXRva2VuIjoiTE9jSDFCWG9ITFJBMjlFYTg2MG1XQXhrVnpTR2gzT2oifQ.mnR4C6bwMIVptU64eZ6tN-gCYyFEuCIk_dm6dJsXrLY; expires=Thu, 28-Feb-2019 23:06:44 GMT; Max-Age=900; path=.brideplanner.test; domain=.brideplanner.test; httponly

But when I send the request from my SPA (http://app-test.brideplanner.test:81/), it goes wrong.

Have you considered to use Laravel Passport? https://laravel.com/docs/5.7/passport — dparoli, Feb 28 '19 at 22:56
@dparoli passport is excessive in this case, I don't need to do something like 3rd party auth. I need to have an API for my SPA application only — Alexxosipov, Feb 28 '19 at 22:58

score 5 · Answer 1 · answered Feb 28 '19 at 22:52

5

In a default Laravel install, the api routes do not have the middleware (Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse) enabled that handles cookies.

You can enable this middleware on your API routes, if you really need cookie-based auth, but be sure to read up on the differences.

answered Feb 28 '19 at 22:52

ceejayoz

176,543
40
303
368

I updated the question. I tested the request via postman and I recieve the cookie-set as expected. But from browser it goes wrong – Alexxosipov Feb 28 '19 at 22:55
You may have a cookie from `.brideplanner.test` that wasn't set by `app-test.brideplanner.test:81`. Please check the middleware approach I highlighted. – ceejayoz Feb 28 '19 at 23:07
You mean I can't set a cookie `.brideplanner.test` from `test.brideplanner.test`? I don't understand why it doesn't set from the request to `/api/auth/login` – Alexxosipov Feb 28 '19 at 23:12
I'm saying you see the cookie in the response because `app-test.brideplanner.test` is sending back the `.brideplanner.test` cookie it received, but none of the *new* or *updated* cookies it's setting ever get set, because you don't have the middleware. – ceejayoz Mar 01 '19 at 00:01
Thank you! I was banging my head for an hour over this. Upgraded Laravel and my API authentication just stopped working... – Maciej Swic Jul 23 '20 at 12:16

Can't set cookie for api route laravel

1 Answers1

Linked